apple_badger

"Where a VPN comes in is that it could act as a major route on the information superhighway that is the internet. While your normal ISP-based route for your packets could take a congested or slow path to the destination, a VPN could help you bypass the slow bits. 

If you're playing on far-away servers, such as those in a different continent to where you are, it could be better to use a VPN server. Using one that exits on that continent will reduce the number of hops required."

This is either completely wrong or phrased oddly. If, by some weird chance it ever happens that using a VPN improves anything to do with latency, it's some odd accident that almost certainly won't happen on a regular basis. 

hmlongco said:

apple_badger said:

That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 

Yet AFAIK Safari doesn't ship with a malicious code exploit embedded within it. Not to mention that WebKit is also sandboxed pretty heavily. I'll grant that the possibility of chaining one exploit into another... but only in the sense that ANYTHING is possible. It's possible that the Earth could explode in the next 0.2 seconds. It is, however, not probable.

Safari doesn't have to ship with malicious code; CVE-2022-32893  allows an attacker to inject their own code into the Safari process and execute it. At this point sandboxing should kick in and limit the damage, but CVE-2022-32894 allows the possibility of that attacker's code being run with kernel privileges, at which point it's game over. This is not an unlikely event; it's an absolutely textbook example of an exploit chain. 

hmlongco said:

apple_badger said:

CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

Both have been addressed in this update. 

https://support.apple.com/en-us/HT213413

Okay, The kernel issue is related to an application running on macOS. i.e. The user would have to download, enable, and run an app with an exploit. The arbitrary code execution bug in Webkit is worrisome, but isn't related to the kernel privileges issue. 

It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues.

That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 

hmlongco said:

apple_badger said:

I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 

I feel like we're already in one of those "phone" games. The original mention was "elevated privileges" which you immediately escalated to "kernel privileges".

CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

Both have been addressed in this update. 

cpsro said:

apple_badger said:

I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 

Even if an Apple user doesn't manually update, the system will automatically update within a week of release.

Only if automatic updates are enabled, unless something has changed since the last time I checked (which is a possibility). Though, automatic updates are on by default. 

(I'm not being critical of Apple here; I'm disagreeing with this story's downplaying of the importance of this update. It's *very* important, and it's very important to update sooner rather than later)

Edit to add: The time from publication of a vulnerability to attempted exploitation is now measured in hours, not days or weeks. When something like this is made public then its value as something to be used in targeted attacks against only high value targets is effectively zero. There's no reason for bad actors to exercise restraint at this point.